rfc2881.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 1,124 行 · 第 1/4 页
TXT
1,124 行
RFC 2881 NASreq NAS Model July 2000
Users
v v v v v v v
| | PSTN | |
| | or | |
|encapsulated
+-----------------+
| (Modems) |
+-----------------+
| | | | | | |
+--+----------------------------+
| | |
|N | Client Interface |
| | |
|A +----------Routing ----------+
| | |
|S | Network Interface |
| | |
+--+----------------------------+
/ | \
/ | \
/ | \
/ | \
POLICY MANAGEMENT/ | \ DEVICE MANAGEMENT
+---------------+ | +-------------------+
| Authentication| _/^\_ |Device Provisioning|
+---------------+ _/ \_ +-------------------+
| Authorization | _/ \_ |Device Monitoring |
+---------------+ _/ \_ +-------------------+
| Accounting | / The \
+---------------+ \_ Network(s) _/
| Auditing | \_ _/
+---------------+ \_ _/
\_ _/
\_/
9.2 Terminology
Following is a description of the modules and interfaces in the
reference model for a NAS given above:
Client Interfaces - A NAS has one or more client interfaces, which
provide the interface to the end users who are requesting network
access. Users may connect to these client interfaces via modems
over a PSTN, or via tunnels over a data network. Two broad
classes of NAS's may be defined, based on the nature of the
incoming client interfaces, as follows. Note that a single NAS
device may serve in both classes:
Mitton & Beadles Informational [Page 11]
RFC 2881 NASreq NAS Model July 2000
Dial Access Servers - A Dial Access Server is a NAS whose client
interfaces consist of modems, either local or remote, which are
attached to a PSTN.
Tunnel Servers - A Tunnel Server is a NAS whose client interfaces
consists of tunneling endpoints in a protocol such as L2TP
Network Interfaces - A NAS has one or more network interfaces, which
connect to the networks to which access is being granted.
Routing - If the network to which access is being granted is a routed
network, then a NAS will typically include routing functionality.
Policy Management Interface - A NAS provides an interface which
allows access to network services to be managed on a per-user
basis. This interface may be a configuration file, a graphical
user interface, an API, or a protocol such as RADIUS, Diameter, or
COPS [19]. This interface provides a mechanism for granular
resource management and policy enforcement.
Authentication - Authentication refers to the confirmation that a
user who is requesting services is a valid user of the network
services requested. Authentication is accomplished via the
presentation of an identity and credentials. Examples of types of
credentials are passwords, one-time tokens, digital certificates,
and phone numbers (calling/called).
Authorization - Authorization refers to the granting of specific
types of service (including "no service") to a user, based on
their authentication, what services they are requesting, and the
current system state. Authorization may be based on restrictions,
for example time-of-day restrictions, or physical location
restrictions, or restrictions against multiple logins by the same
user. Authorization determines the nature of the service which is
granted to a user. Examples of types of service include, but are
not limited to: IP address filtering, address assignment, route
assignment, QoS/differential services, bandwidth control/traffic
management, compulsory tunneling to a specific endpoint, and
encryption.
Accounting - Accounting refers to the tracking of the consumption of
NAS resources by users. This information may be used for
management, planning, billing, or other purposes. Real-time
accounting refers to accounting information that is delivered
concurrently with the consumption of the resources. Batch
accounting refers to accounting information that is saved until it
Mitton & Beadles Informational [Page 12]
RFC 2881 NASreq NAS Model July 2000
is delivered at a later time. Typical information that is
gathered in accounting is the identity of the user, the nature of
the service delivered, when the service began, and when it ended.
Auditing - Auditing refers to the tracking of activity by users. As
opposed to accounting, where the purpose is to track consumption
of resources, the purpose of auditing is to determine the nature
of a user's network activity. Examples of auditing information
include the identity of the user, the nature of the services used,
what hosts were accessed when, what protocols were used, etc.
AAAA Server - An AAAA Server is a server or servers that provide
authentication, authorization, accounting, and auditing services.
These may be co-located with the NAS, or more typically, are
located on a separate server and communicate with the NAS's User
Management Interface via an AAAA protocol. The four AAAA
functions may be located on a single server, or may be broken up
among multiple servers.
Device Management Interface - A NAS is a network device which is
owned, operated, and managed by some entity. This interface
provides a means for this entity to operate and manage the NAS.
This interface may be a configuration file, a graphical user
interface, an API, or a protocol such as SNMP [20].
Device Monitoring - Device monitoring refers to the tracking of
status, activity, and usage of the NAS as a network device.
Device Provisioning - Device provisioning refers to the
configurations, settings, and control of the NAS as a network
device.
9.3 Analysis
Following is an analysis of the functions of a NAS using the
reference model above:
9.3.1 Authentication and Security
NAS's serve as the first point of authentication for network users,
providing security to user sessions. This security is typically
performed by checking credentials such as a PPP PAP user
name/password pair or a PPP CHAP user name and challenge/response,
but may be extended to authentication via telephone number
information, digital certificates, or biometrics. NAS's also may
authenticate themselves to users. Since a NAS may be shared among
multiple administrative entities, authentication may actually be
performed via a back-end proxy, referral, or brokering process.
Mitton & Beadles Informational [Page 13]
RFC 2881 NASreq NAS Model July 2000
In addition to user security, NAS's may themselves be operated as
secure devices. This may include secure methods of management and
monitoring, use of IP Security [21] and even participation in a
Public Key Infrastructure.
9.3.2 Authorization and Policy
NAS's are the first point of authorization for usage of network
resources, and NAS's serve as policy enforcement points for the
services that they deliver to users. NAS's may provision these
services to users in a statically or dynamically configured fashion.
Resource management can be performed at a NAS by granting specific
types of service based on the current network state. In the case of
shared operation, NAS policy may be determined based on the policy of
multiple end systems.
9.3.3 Accounting and Auditing
Since NAS services are consumable resources, usage information must
often be collected for the purposes of soft policy management,
reporting, planning, and accounting. A dynamic, real-time view of
NAS usage is often required for network auditing purposes. Since a
NAS may be shared among multiple administrative entities, usage
information must often be delivered to multiple endpoints.
Accounting is performed using such protocols as RADIUS [2].
9.3.4 Resource Management
NAS's deliver resources to users, often in a dynamic fashion.
Examples of the types of resources doled out by NAS's are IP
addresses, network names and name server identities, tunnels, and
PSTN resources such as phone lines and numbers. Note that NAS's may
be operated in a outsourcing model, where multiple entities are
competing for the same resources.
9.3.5 Virtual Private Networks (VPN's)
NAS's often participate in VPN's, and may serve as the means by which
VPN's are implemented. Examples of the use of NAS's in VPN's are:
Dial Access Servers that build compulsory tunnels, Dial Access
Servers that provide services to voluntary tunnelers, and Tunnel
Servers that provide tunnel termination services. NAS's may
simultaneously provide VPN and public network services to different
users, based on policy and user identity.
Mitton & Beadles Informational [Page 14]
RFC 2881 NASreq NAS Model July 2000
9.3.6 Service Quality
A NAS may delivery different qualities, types, or levels of service
to different users based on policy and identity. NAS's may perform
bandwidth management, allow differential speeds or methods of access,
or even participate in provisioned or signaled Quality of Service
(QoS) networks.
9.3.7 Roaming
NAS's are often operated in a shared or outsourced manner, or a NAS
operator may enter into agreements with other service providers to
grant access to users from these providers (roaming operations).
NAS's often are operated as part of a global network. All these
imply that a NAS often provides services to users from multiple
administrative domains simultaneously. The features of NAS's may
therefore be driven by requirements of roaming [22].
10. Security Considerations
This document describes a model not a particular solution.
As mentioned in section 9.3.1 and elsewhere, NAS'es are concerned
about the security of several aspects of their operation, including:
- Providing sufficiently robust authentication techniques as
required by network policies,
- NAS authentication of configured authentication server(s),
- Server ability to authenticate configured clients,
- Hiding of the authentication information from network snooping
to protect from attacks and provide user privacy,
- Protecting the integrity of message exchanges from attacks
such as; replay, or man-in-the middle,
- Inability of other hosts to interfere with services authorized
to NAS, or gain unauthorized services,
- Inability of other hosts to probe or guess at authentication
information.
- Protection of NAS system configuration and administration from
unauthorized users
- Protection of the network from illegal packets sourced by
accessing connections
Mitton & Beadles Informational [Page 15]
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?